This repository walks you through a scenario covering threat detection and remediation using Amazon GuardDuty;

• Architecture
• Scenario
• Deployment
• Test

TBD ...

• GuarddutyEnabledStack: This stack for enabled detector setting.
• GuarddutyHandsOnStack: This stack will deploy malicious and compromised instances and resources.

• AWS CDK – This solution uses the CDK Template language in Typescript to create each resource.
• Amazon EC2 – It's will created 2 malicious instances and 2 compromised instance.
• Amazon S3 – Logging and compromised detection data is stored in an Simple Storage Service (S3) Bucket.
• Amazon DynamoDB – Sample for compromised database table.
• Amazon SNS – Notification.
• AWS Lambda – Capture GuardDuty finding event and send response email to Admin.
• Amazon Eventbridge – Capture GuardDuty finding event and send response email to Admin.

Create your AWS account at http://aws.amazon.com by following the instructions on the site. Then create IAM User permission setting AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in your environment variables.

Install AWS CDK CLI from npm

$ npm i -g aws-cdk

For first initial, run bootstrap deploy in your acoount.

$ cdk bootstrap aws://${your-account-id}/us-east-1

Install dependencies packages.

$ npm install

Configuration setting file config.json, The deployment administrator will be notified for revoke old sessions.

# config.json
{
    "namePrefix": "GuardDuty-HandsOn",
    "email": "root@mail.com"
}

$ cdk ls
GuarddutyEnabledStack
GuarddutyHandsOnStack

If you have enabled the GuardDuty dectector setting, then you can deploy GuarddutyHandsOnStack directly

$ cdk deploy GuarddutyHandsOnStack

Or deploy all stacks

$ cdk deploy --all

To build the project and run the test, issue these commands.

$ npm run build && npm test